$1 600 000 USD

APRIL 2024

GLOBAL

PIKE FINANCE

DESCRIPTION OF EVENTS

Pike Finance

 

Upgrading the smart contract introduced a vulnerability since the alignment of contract data was shifted.

 

"In order to pause the protocol, the spoke contracts were upgraded and there was the inclusion of an additional dependency within the smart contract code.

 

This dependency introduced new variables which altered the storage layout - in particular, the position of the *initialized* variable.

 

As a result, the position occupied by the *initialized* variable was taken over by other variables, leading to a misalignment in storage mapping.

 

This misalignment caused the contract to behave as if it was uninitialized, since the *initialized* variable could no longer be accessed.

 

As a result, attackers were then able to upgrade the spoke contracts, bypassing admin access, and as a result, withdraw funds."

 

Attacker: 0x19066f7431df29a0910d287c8822936bb7d89e23

 

Attack contract: 0x1da4bc596bfb1087f2f7999b0340fcba03c47fbd

 

Target contract: 0xfc7599cffea9de127a9f9c748ccb451a34d2f063

 

Attack Transaction on Optimism: 0x19066f7431df29a0910d287c8822936bb7d89e23

 

Attack Transaction on Arbitrum Transaction: 0x19066f7431df29A0910d287C8822936Bb7D89E23

 

Attack Transaction on Ethereum: 0xe2912b8bf34d561983f2ae95f34e33ecc7792a2905a3e317fcc98052bce66431

 

On the 30th of April 2024, the Pike Beta protocol was exploited for 99,970.48 ARB, 64,126 OP and 479.39 ETH.

 

The Pike Finance team acknowledge the exploit and published a blog post with the plan forward.

 

Ongoing.

 

The Pike Finance team published a blog post with the plan forward.

 

"In the coming days, we will disclose a full list of wallet addresses with active supply and borrow positions prior to the protocol halt as of April 26 08:35 PM UTC. Addresses with a supply position will have a credit balance, and addresses with a borrow position will have a debit balance. We will calculate the Net Balance [Total Value of Supply - Total Value of Borrow] and assess whether liquidation levels have been triggered using asset prices as of April 26 08:35 PM UTC. Addresses with a positive net balance after accounting for liquidation checks will be restituted in full directly to their wallets ($OP via Optimism, $ARB via Arbitrum, $ETH and $USDC via Base)."

 

"The Community Treasury allocation of $P has been set aside for various usages, however one of these is of course, as an insurance fund.

 

As a result, we will be using 4% of the total supply of $P (from the Community Treasury allocation) as collateral to borrow the necessary stablecoin funds from the team treasury (around $2M USD across both exploits).

 

These will then be used to purchase the relevant assets on the open market and reimburse users for what they had within Pike prior to the exploit.

 

As the protocol generates revenue and launches the $P token, this loan will then be paid back accordingly - transferring the $P tokens used as collateral to the Foundation Treasury.

 

Once the debt is repaid, the $P will be released back to Insurance pool"

 

Refunds are still ongoing.

Pike Finance is a loan protocol which allows loans to be taken out using collateral on other chains. The smart contract was upgraded after an issue where USDC could be withdrawn without proper validation. The team corrected the vulnerability with an upgrade which allowed all the assets to be drained from their smart contract, due to the contract being not considered to be initialized when memory shifted. The team eventually promised refunds to users, which have yet to be honoured.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.